PingOne Advanced Identity Cloud

MFA: Authenticate using push notification

You can use push notifications as part of the authentication process.

To receive push notifications when authenticating, end users must register an Android or iOS device with PingOne Advanced Identity Cloud. The registered device can then be used as an additional factor when authenticating. PingOne Advanced Identity Cloud can send the device a push notification, which can be accepted by the ForgeRock Authenticator app. In the app, the user can allow or deny the request that generated the push notification and return the response to PingOne Advanced Identity Cloud.

About push

The following steps occur as a user completes a push notification journey:

  1. The user provides credentials to let PingOne Advanced Identity Cloud locate the user profile and determine if they have a registered mobile device.

  2. PingOne Advanced Identity Cloud prompts the user to register a mobile device if they have not done so already.

    The user registers their device through the ForgeRock Authenticator app. The app supports a variety of methods to respond to push notifications from tapping a button to biometrics if the device supports them.

    Registering a device stores device metadata in the user profile that is required for push notifications. PingOne Advanced Identity Cloud uses the configured ForgeRock Authenticator (Push) service, which supports encrypting the metadata.

    For more information, refer to Manage devices for MFA.

  3. When the user has a registered device, PingOne Advanced Identity Cloud creates a push message specific to the device.

    The message has a unique ID that PingOne Advanced Identity Cloud stores while waiting for the response.

    PingOne Advanced Identity Cloud writes a pending record with the same message ID to the CTS store for redundancy should an individual server go offline during the authentication process.

  4. PingOne Advanced Identity Cloud sends the push message to the registered device, using the configured push notification service.

    Depending on the registered device, PingOne Advanced Identity Cloud uses either Apple Push Notification Services (APNS) or Google Cloud Messaging (GCM) to deliver the message.

    PingOne Advanced Identity Cloud begins to poll the CTS for an accepted response from the registered device.

  5. The user responds to the notification through the ForgeRock Authenticator app on the device, for example, approving or rejecting the notification.

    The app responds to the push notification message with the user’s choice.

  6. PingOne Advanced Identity Cloud verifies the message is from the correct registered device and has not been tampered with, and marks the pending record as accepted if valid.

    PingOne Advanced Identity Cloud detects the accepted record and redirects the user to their profile page, completing the authentication.

Implement push

The following table summarizes the tasks to perform to implement push authentication in your environment:

Task Resources

Configure authentication

If you’re planning to implement passwordless push authentication, see also Limitations of passwordless push authentication.

Test push authentication

After configuring the ForgeRock Authenticator (Push) service, the push notification service, and a push authentication journey, download theForgeRock Authenticator app and test your configuration.